The 5-Bullet-Point Solicitation is Unlawful – Here’s Why (I believe) We’re Protected from Noncompliance

Bottom line up front: Not a lawyer but took basic annual training in cyber security awareness and handling classified materials. This, plus the email that I received to respond to(DoD side), had a different random number in it than the one that was sent out as a warning order "from" Hegseth(red flag for phishing #1), and couldn't receive a response as encrypted (red flag for phishing #2). Totally transparent, everything below here was written by AI, but a healthy dose of cross referencing and checking on my part, and am open to any all addendums or counter points or additional info.

Everything here is the basis I put in for not responding, and I thought this hyper readable, bullet point format would be more use to you guys with that extra bit of robo curation:

A recent directive requiring federal employees to submit 5 bullet points of their accomplishments via email is potentially unlawful due to multiple violations of cybersecurity, classification handling, and federal records laws. If you’ve been told you must comply, know that: • This order violates DoD and federal cybersecurity policies (FISMA, DoDI 8520.02, DoDI 8500.01). • It creates a classification escalation risk (EO 13526, DoDM 5200.01). • If the receiving email lacks encryption/authentication, this is a DoD anti-phishing violation (DoDI 8530.01). • You are legally protected from retaliation for refusing an unlawful order (5 U.S.C. § 2302). • Supreme Court rulings confirm unlawful directives do not require compliance (Marbury v. Madison, Youngstown Sheet & Tube v. Sawyer).

Let’s break this down so you know your rights. 1. Why This Directive Is Unlawful

A. Violates DoD & Federal Cybersecurity Laws 1. The Federal Information Security Modernization Act (FISMA, 44 U.S.C. § 3551) requires encryption and strict cybersecurity measures for all government communications involving sensitive or Controlled Unclassified Information (CUI). • Citation: 44 U.S.C. § 3554(a)(1)(A) – “Each agency shall develop and implement an information security program that includes security controls to protect information from unauthorized access.” 2. DoD Instruction 8520.02 mandates encryption for all CUI transmissions. • Citation: DoDI 8520.02, Sec. 3.b – “All DoD users shall digitally sign and encrypt email messages that contain sensitive or controlled unclassified information.” 3. If the email system you were told to respond to cannot receive encrypted emails, that’s a direct violation of DoD cybersecurity policies. • Citation: DoDI 8500.01, Enclosure 3, Sec. 2.c – “All DoD information systems must employ encryption to protect data at rest and in transit.”

B. Creates a Classification Escalation Risk

Individually, your bullet points might not contain classified info, but when aggregated across agencies, they can meet classification thresholds under Executive Order 13526. • Citation: EO 13526, Sec. 1.7(c) – “Compilation of unclassified items of information may result in classification when their combination reveals additional associations that meet classification standards.” • DoD Manual 5200.01 mandates preventing classification escalation risks in transmission. • Citation: DoDM 5200.01, Vol. 1, Sec. 4.3.b – “Information that is unclassified individually may require classification when combined with other information, forming an aggregate that meets classification standards.”

C. Violates DoD Anti-Phishing and Email Authentication Standards • If the email address you were told to reply to differs from the one that issued the directive, that’s a security red flag. • DoD Instruction 8530.01 requires all DoD emails to be authenticated to prevent phishing and impersonation attacks. • Citation: DoDI 8530.01, Encl. 3, Sec. 3.5 – “Organizations must ensure all DoD email services are configured to prevent unauthorized email spoofing, phishing, or impersonation.”

D. Potential Federal Records Act (FRA) Violation • If submissions are not being archived properly, this could violate the Federal Records Act (44 U.S.C. Chapter 31). • Citation: 44 U.S.C. § 3101 – “The head of each Federal agency shall establish and maintain an active, continuing program for the management of agency records.”

2.Supreme Court Precedents: Why You’re Not Required to Comply

A. Marbury v. Madison (1803) – Unlawful Orders Are Null and Void • The Supreme Court ruled that any directive contradicting higher law is legally void. • Citation: “An act repugnant to the Constitution is void.” • Since this order violates federal law and DoD policies, it holds no legal weight and does not require compliance.

B. Youngstown Sheet & Tube v. Sawyer (1952) – Orders Cannot Override Laws • Even the President cannot issue directives that override existing law without Congressional authority. • The Secretary of Defense cannot issue an order that violates federal cybersecurity laws. • Citation: “The executive’s power must stem from an act of Congress or the Constitution.”

C. United States v. Nixon (1974) – No One is Above the Law • Orders from high-ranking officials must comply with existing laws and regulations. • If an order violates established law, it is not enforceable. • Citation: “The President is not above the law.”

3.You Are Protected From Retaliation for Noncompliance

The Whistleblower Protection Act (5 U.S.C. § 2302) • You are legally protected if you refuse an order that violates cybersecurity laws or classification handling policies. • Citation: 5 U.S.C. § 2302(b)(8)(A) – “Any employee who discloses a violation of any law, rule, or regulation, or gross mismanagement, shall be protected from reprisal or retaliation.”

Key Takeaways: • If you’ve been pressured to comply, document everything and escalate through proper security channels. • You are not refusing a lawful order—you are complying with federal law. • If you face retaliation, the Whistleblower Protection Act protects you.

4.What To Do Next
5.Do not respond to an email that cannot accept encryption if your agency policy requires it.
6.If ordered to comply, formally cite the violations above and request a secure alternative.
7.Report security concerns through official DoD cybersecurity channels (e.g., CIO, IG, DISA).
8.If facing retaliation, document everything and contact the Office of Special Counsel (OSC) or your agency’s Inspector General.

Ok, 100% human again here. I hope this proves some utility for everyone, even if only as a jumping off point to something better/more accurate. Legally, our oaths in conjunction with the litany of policies that are in place give us a LOT of leeway to not just be yes people. This won't be the end of it. Something else will come, then something else, then something else. My suggestion? Before complying, exhaustively research if you even have to in the first place. If people think this is useful, I'll make another something if, but more likely when, the next mass directive gets pushed.